IP Access Rules — Allow and Block by IP
Cloudflare IP Access Rules let you allow or block traffic based on source IP address, CIDR range, or country code — a first line of defense against malicious traffic before it reaches your origin.
What You Will Learn
You will learn how IP Access Rules fit into Cloudflare's security model, how to configure them through the dashboard and API, and how to combine them with other WAF features for layered protection.
Why It Matters
IP-based filtering stops known bad actors at the network edge before they consume origin resources or trigger application-level rules. Blocking entire countries or known attacker IPs reduces attack surface without complex rule logic.
Real-World Use Case
A SaaS dashboard receives repeated login attempts from a specific IP range in a high-risk region. An IP Access Rule blocks that range at Cloudflare's edge, reducing failed auth events by 90% and saving origin compute.
How IP Access Rules Work
IP Access Rules evaluate the source IP of every request before it reaches any Cloudflare WAF custom rule. If the IP matches a block rule, Cloudflare returns a 403 immediately without passing the request to the origin.
flowchart LR
A[Visitor IP] --> B{IP Access Rule?}
B -->|Allow| C[Pass to WAF]
B -->|Block| D[403 Forbidden]
B -->|Skip| C
C --> E[Origin Server]
Configuration Options
Three actions are available for IP Access Rules:
| Action | Behaviour |
|---|---|
| Allow | Whitelists the IP — overrides other blocking rules |
| Block | Returns 403 for matching requests |
| Skip | Passes request without evaluating other access rules |
Rules can target individual IPs, CIDR ranges (e.g. 203.0.113.0/24), or entire countries using two-letter ISO codes.
Step-by-Step: Dashboard Configuration
- Log in to the Cloudflare Dashboard and select your domain.
- Navigate to Security > WAF > Tools.
- Under IP Access Rules, enter the IP or CIDR range.
- Select Block or Allow from the action dropdown.
- Choose whether the rule applies to the dashboard API, your site, or both.
- Click Add to activate the rule immediately.
API Configuration Example
Use the Cloudflare API to manage IP Access Rules programmatically:
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/access_rules/rules" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"mode": "block",
"configuration": {
"target": "ip",
"value": "198.51.100.0/24"
},
"notes": "Block known scanner range"
}'
Expected output:
{
"result": {
"id": "rule_id_here",
"mode": "block",
"notes": "Block known scanner range"
},
"success": true
}
Python Script for Bulk Blocking
When you have hundreds of IPs to block, use the API with a script:
import os
import requests
ZONE_ID = os.environ["CLOUDFLARE_ZONE_ID"]
TOKEN = os.environ["CLOUDFLARE_API_TOKEN"]
URL = f"https://api.cloudflare.com/client/v4/zones/{ZONE_ID}/firewall/access_rules/rules"
block_ips = ["203.0.113.1", "203.0.113.2", "203.0.113.3"]
for ip in block_ips:
payload = {
"mode": "block",
"configuration": {"target": "ip", "value": ip},
"notes": "Bulk block from threat feed"
}
resp = requests.post(URL, json=payload, headers={
"Authorization": f"Bearer {TOKEN}",
"Content-Type": "application/json"
})
print(f"{ip}: {resp.status_code} - {resp.json()['success']}")
Expected output:
203.0.113.1: 200 - True
203.0.113.2: 200 - True
203.0.113.3: 200 - True
Country Blocking via API
Block an entire country by passing its ISO code:
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/access_rules/rules" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"mode": "block",
"configuration": {
"target": "country",
"value": "RU"
},
"notes": "Block traffic from Russia"
}'
Expected output:
{
"result": { "mode": "block", "configuration": { "target": "country", "value": "RU" } },
"success": true
}
Common Mistakes
| Mistake | Consequence |
|---|---|
| Blocking your own IP | Locks you out of the dashboard |
| Using allow rules without other controls | Malicious IPs bypass all WAF checks |
| CIDR too broad (e.g. /8) | Blocks legitimate users across entire ISP |
| Not adding notes | Impossible to audit rules later |
| Confusing Skip and Allow | Skip still logs; Allow suppresses all checks |
Practice Questions
- What is the difference between Allow and Skip in IP Access Rules?
- How do you block an entire country using the Cloudflare API?
- Why should you avoid creating overly broad CIDR block rules?
Challenge
Write a script that fetches a public threat feed (e.g. from AlienVault OTX), extracts IPs, and creates IP Access Rules for any that are not already blocked in your zone.
Real-World Task
Your e-commerce site is being targeted by a scraper operating from a /24 range. Create a set of IP Access Rules that blocks the range but allows individual IPs that pass a captcha challenge. Document the rule ordering you would use.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro